Using Samsung Pass

Samsung Pass relies on the interoperation of a Samsung Pass enabled client, the Samsung Pass Cloud, and key information which is provided by each enterprise partner to correctly identify and authenticate the following items:

  • The user’s identity

  • The user’s device

  • The Samsung Pass enabled app which the user installed on their device

Samsung Pass accomplishes this by using a variety of resources and facilities, most of which are invisible to users and partners. For example, each Samsung mobile device takes full advantage of Samsung Knox and the Knox TrustZone.

See the Samsung Knox web site for a complete description of Knox and the Knox TrustZone.

Everybody makes their preparations

Each participant in Samsung Pass, be it the enterprise developer, the device user, or Samsung itself, has to complete some basic preparations before the Samsung Pass solution is fully available. The following sections explain what these preparations are and why they are required.

The device user registers their Samsung account
The device user registers their Samsung account

Every Samsung mobile device user has the option to register their Samsung account upon first boot.

The registration operation is handled by the Samsung software and hardware. The Samsung Pass enterprise-partner cannot participate at this point.

If a user opts to skip the registration initially, it is always possible to manually initiate the registration process from the Settings menu of the device. One way, or another, the device user must register their Samsung account in order to use Samsung Pass.

If a user opts to skip the registration initially, it is always possible to manually initiate the registration process from the Settings menu of the device. One way, or another, the device user must register their Samsung account in order to use Samsung Pass.
Setting up the biometric authentication
Setting up the biometric authentication

Registering the Samsung account is a vital step for using Samsung Pass because the device user can now start the process of associating their identity with a biometric scan.

If the user has already set up a biometric measurement for authentication, then Samsung Pass only prompts the user to authenticate again, not take a new measurement. For the purposes of this discussion, we’ll assume the user has not previously set up biometric authentication and the measurement they take for registering their Samsung account is their first biometric measurement.

Users also set a password as part of their registration. Samsung tracks this password as a means for the user to reset the biometric measurements on the device.

Does this reset capability compromise the security of the device? No, it doesn’t. Any signing keys that are associated with an existing biometric measurement cannot be associated with a new biometric value. This means a user who registers their Samsung account after setting biometric authentication won’t jeopardize the security of the accounts that are tied to existing biometric values.

A quick word about FIDO

Samsung Pass incorporates a Fast Identification Online (FIDO) server in the Samsung Pass Cloud and a FIDO client in the Samsung Pass Authentication Framework on the mobile device.

FIDO is a standard protocol for converting biometric-authentication information on a device to user-authentication information on a server without compromising the user’s privacy.

FIDO allows Samsung Pass to securely relay user approval and user authentication information between the device and the Samsung Pass Cloud. The Samsung Pass Cloud, in turn, can share the validation and authentication information with the enterprise partner’s servers as requested.

See the FIDO alliance home page for more information about the FIDO standard.

What happens after the user chooses to use biometric authentication?
What happens after the user chooses to use biometric authentication?

After the user has successfully registered their Samsung account and opted to use Samsung Pass both the Samsung Pass Authentication Framework and Knox start their work on the mobile device. They’ll create a secure way to associate the device user with their specific device. This process is handled by the Samsung software and hardware. The Samsung Pass enterprise-partner cannot participate at this point.

The Samsung Pass Authentication Framework asks Knox to create an asymmetric signing key in the Knox TrustZone.

The Samsung Pass Authentication Framework asks Knox to create an asymmetric signing key in the Knox TrustZone.

Next, the Knox TrustZone uses the private portion of the asymmetric key to generate a certificate chain. The certificate chain includes the public portion of the device root key and asymmetric signing key. The device root key is unique to each device and is set at the point of manufacture. The public key serves to verify the user’s identity on this device for the FIDO server.

Finally, Knox passes the certification chain to the Samsung Pass Authentication Framework which uploads it to the Samsung Pass Cloud.

Finally, Knox passes the certification chain to the Samsung Pass Authentication Framework which uploads it to the Samsung Pass Cloud.

The Samsung Pass Cloud now has secure, specific information for this device. It knows the public portion of the device root key and the asymmetric signing key which is stored safely in the Knox TrustZone.

What does the Samsung Pass Cloud do with the credentials from the device?

The Samsung Pass Cloud must verify the credentials that the device provides.

Using proprietary processes which Samsung conducts independently of any Samsung Pass partner, the Samsung Pass Cloud checks that the certificate chain is rooted by a legitimate Samsung Root Key.

Once the check passes, the Samsung Pass Cloud considers the device secure and authentic.

The mobile device and the user of the device are now authenticated in the Samsung Pass Cloud. The Samsung Pass Cloud starts to log the user’s authentication attempts and can share each attempt’s information with enterprise partners upon request.

All of these operations stem from the user’s initial act of registering their Samsung account and choosing to use biometric authentication. The Samsung Pass partner’s software and servers aren’t involved in any of this work.

The enterprise partner registers their Samsung Pass enabled app
The enterprise partner registers their Samsung Pass enabled app

The counterpart to the user registration process on the Samsung Pass Cloud is the enterprise partner’s registration process.

Each Samsung Pass enterprise-partner who wants to take advantage of biometric authentication on a Samsung mobile device must register their Samsung Pass enabled app with the Samsung Pass Cloud. In order to do so, a partner needs to log into their Samsung Pass Cloud account and share some basic information.

None of the following registration information jeopardizes enterprise security or user privacy:

  • The package name for the app

  • A URL from which users can download the app

  • A certificate for authenticating the app

  • An icon for the installed app

None of the following registration information jeopardizes enterprise security or user privacy:

After this information is available to the Samsung Pass Cloud and the device user has successfully registered their Samsung account, all the preparations are complete.

Now, the user must install the Samsung Pass enabled app on their device and decide if they want to switch to biometric authentication.

After preparations are complete, installing the Samsung Pass enabled app
After preparations are complete, installing the Samsung Pass enabled app

The device user must download the Samsung Pass enabled app to their mobile device, install the app and launch it. The device user then logs into their enterprise account by means of a traditional login and password. This process is handled by the infrastructure and security software endorsed by the enterprise. Samsung Pass is not party to this login and authentication step.

The enterprise server generates and shares session details

Once the user has successfully logged into their enterprise account, the Samsung Pass enabled app on the mobile device needs to prompt the enterprise server to generate, and share, session details.

The enterprise server generates and shares session details

This is the first action for Samsung Pass which is not initiated and managed by Samsung Pass or the Samsung device. It’s up to the enterprise partner developers to implement this request as part of their Samsung Pass enabled app.

The enterprise server must respond with session details that include a nonce and an opaque identifier.

The enterprise server must respond with session details that include a nonce and an opaque identifier.

The nonce is a cryptographic means of ensuring that the transaction is live as opposed to an unauthorized duplicate of a previous transaction.

The nonce is a cryptographic means of ensuring that the transaction is live as opposed to an unauthorized duplicate of a previous transaction.

The opaque identifier is issued by the enterprise server for the purpose of identifying the specific Samsung Pass enabled app on a specific device. It is critical that the contents of the opaque identifier be structured such that each opaque identifier is specific to one app installation. Samsung Pass stores the opaque identifier in the Samsung Pass Cloud and always associates it with this device.

The opaque identifier is encrypted so the contents are not visible to any of the Samsung hardware or software. Upon future request by the enterprise partner, Samsung Pass returns the opaque identifier to help the enterprise verify the authenticity of the app and device.

Samsung recommends either of the following algorithms for obfuscating the contents of the opaque identifier:

  • AES-GCM

  • HMAC-SHA256

Switching the Samsung Pass enabled app to authenticate with biometrics
Switching the Samsung Pass enabled app to authenticate with biometrics

After the session details from the enterprise server are accepted by the Samsung Pass Authentication Framework, it’s time to prompt the user to determine whether or not they want to use biometric authentication in place of the traditional login and password for this app. This prompt is the responsibility of the enterprise partner’s app developers. Samsung Pass can’t perform this query, only the Samsung Pass enabled app can do it.

Switching the Samsung Pass enabled app to authenticate with biometrics

If the user approves, they must choose a biometric measurement (iris or fingerprint) and perform a scan. This scan is required to authenticate the user’s identity as established by the measurement the user took when they registered their Samsung account and chose to enable biometric authentication. If an unauthorized user is trying to bypass the password on a Samsung Pass enabled app by activating biometric authentication, the authentication will fail. The unauthorized user’s scan won’t match the original taken by the authorized device user back when they registered their Samsung account.

Associating an installed Samsung Pass enabled app with the enterprise partner that registered it

Once the device user approves the switch to biometrics and is authenticated, the next step in the process is to associate the installed Samsung Pass enabled app on the mobile device with the enterprise partner that registered it.

Once the device user approves the switch to biometrics and is authenticated, the next step in the process is to associate the installed Samsung Pass enabled app on the mobile device with the enterprise partner that registered it.

Back when the enterprise partner registered their Samsung Pass enabled app with the Samsung Pass Cloud, there was no device-specific information available. This is the first time that the specific app is present on the device so Samsung Pass must help the enterprise partner authenticate this specific installation of their application.

Comparing certificates to authenticate the Samsung Pass enabled app on the device

Establishing the association between the Samsung Pass enabled app installed on the device and the enterprise partner’s registered app means comparing certificates.

Establishing the association between the Samsung Pass enabled app installed on the device and the enterprise partner’s registered app means comparing certificates.

The comparison starts when the Samsung Pass Authentication Framework uses the app’s installed package to view the app-developer’s certificate.

The other certificate in this comparison is in the enterprise partner’s Samsung Pass Cloud account. Both certificates (the one on the device and the one in the Samsung Pass Cloud) contain a public key.

Public keys in Samsung Pass can be viewed as proxies to identities. When the enterprise partner registered their application in their Samsung Pass Cloud account, the public key that was used to sign that application’s certificate represented the partner’s identity. The Samsung Pass enabled app on the user’s device is also signed with a public key. The public key on the device represents the identity of the app developer.

Samsung Pass compares the certificate on the device with the certificate in the Samsung Pass Cloud to make sure they are identical. If they match, then the Samsung Pass enabled app on the device is authenticated as a legitimate installation of the enterprise partner’s app registered in the Samsung Pass Cloud.

Associating the authenticated app on the device with the enterprise partner
Associating the authenticated app on the device with the enterprise partner

Once the certificate comparison is successful, the device user needs to verify their identity through a biometric scan or the process will not continue.

Upon verification of the user’s identity, two operations occur on the mobile device as described below.

A new certificate from the device to the enterprise partner

The Samsung Pass Authentication Framework performs the first operation which generates a new certificate. This certificate lets the enterprise partner’s server verify the identity of this user on this device. Of course, the enterprise server has not yet seen this new certificate, so the Samsung Pass Authentication Framework lets the Samsung Pass enabled app know that the certificate is available for use by the enterprise partner’s server.

See A comprehensive view of the authentication certificates for a detailed explanation of the certificate involved in this step.

See A comprehensive view of the authentication certificates for a detailed explanation of the certificate involved in this step.

What about the opaque identifier? Wasn’t that supposed to verify the identity of this user on the device? Why is a new certificate needed?

The opaque identifier is created and encrypted by the enterprise partner for their own use. Samsung hardware and software merely stores the opaque identifier, Samsung cannot see the contents. This new certificate is generated by Samsung Pass so the contents are known.

An authentication token from the Samsung Pass Cloud to the device

The Samsung Pass Cloud performs the other operation that is required to associate the app with the enterprise partner. It generates an authentication token and provides it to the device. This authentication token is really a reference to the successful biometric authentication the user just performed.

The Samsung Pass Cloud performs the other operation that is required to associate the app with the enterprise partner. It generates an authentication token and provides it to the device. This authentication token is really a reference to the successful biometric authentication the user just performed.

The device, in turn, sends the signed authentication token, along with certain session details, to the enterprise partner’s server.

The device, in turn, sends the signed authentication token, along with certain session details, to the enterprise partner’s server.

If the enterprise partner validates the session details, it forwards the session details and the authentication token to the Samsung Pass Cloud. The Samsung Pass Cloud can associate this app on this device with this enterprise partner’s account through the opaque identifier included as part of the session details.

If the enterprise partner validates the session details, it forwards the session details and the authentication token to the Samsung Pass Cloud. The Samsung Pass Cloud can associate this app on this device with this enterprise partner’s account through the opaque identifier included as part of the session details.

The Samsung Pass Cloud validates the signed authentication details and returns the opaque identifier to the enterprise.

The Samsung Pass Cloud validates the signed authentication details and returns the opaque identifier to the enterprise.

In the future, when this device user authenticates again, the enterprise can reliably associate the user with the correct enterprise account. The Samsung Pass Cloud also maintains the association between the opaque identifier from the enterprise and the certificate chain which was generated on the device by the Samsung Pass Authentication Framework.

Where did the authentication token and the opaque identifier end up?

The enterprise partner’s opaque identifier is stored by Samsung Pass and permanently associated with a specific device and user. Samsung Pass uses this identifier to let the enterprise partner know which user is authentic once all the device, app, and user checks are successfully completed.

The authentication token from Samsung Pass is generated for each authentication attempt and must be returned from the enterprise server during a short timer interval. If the enterprise server fails to deliver the authentication token before the interval expires, the Samsung Pass Cloud won’t provide the enterprise server with the opaque identifier and validate the identity of the user or the authenticity of the device.

The Samsung Pass certificates and tokens

Samsung Pass uses the following certificates and credentials to authenticate the device, the device user, and the Samsung Pass enabled app. The opaque identifier and authentication token are also required.

Device root certificate

Provider: Samsung mobile-device fabrication facility
Purpose: Authenticates the device

Samsung Pass certificate

Provider: Samsung Pass Authentication Framework on the device
Purpose: Authenticates the device and the Samsung Pass enabled app

Samsung Pass enabled app certificate

There are two copies of this certificate.

Provider: App developer of the Samsung Pass enabled app
Purpose: Authenticates the Samsung Pass enabled app
Copy one: The Samsung Pass Cloud account of the app developer
Copy two: The installation package of the Samsung Pass enabled app

Opaque identifier

Provider: The Samsung Pass enterprise partner
Purpose: Authenticates the enterprise customer’s information independently of Samsung Pass.

Authentication token

Provider: Samsung Pass
Purpose: Ensures transactions are live by setting an expiration time.

Using biometric authentication with Samsung Pass

From this point on, the device user can authenticate their identity for the enterprise-partner’s app through biometric authentication. The process of accepting biometric authentication is the same as enabling biometric authentication with one exception. The enterprise server no longer needs to provide the opaque identifier. Instead, the Samsung Pass Cloud returns the original opaque identifier for each subsequent authentication attempt.

Disassociating the enterprise app from Samsung Pass

The device user decides whether or not to replace a traditional login and password with biometric authentication. Conversely, the end user can also decide to revert from biometric authentication back to a traditional login and password. Theoretically, the user can go back and forth repeatedly which is why Samsung Pass is built to handle switching gracefully.

The Samsung Pass SDK provides APIs for handling the switch back to a traditional login and password. A Samsung Pass enabled app must use these APIs to provide the user with the option to revert.

If the user opts to revert, the Samsung Pass APIs delete the certificates associated with Samsung Pass Authentication Framework on the device as well as the device-specific certificates in the Samsung Pass Cloud.

If the user opts to revert, the Samsung Pass APIs delete the certificates associated with Samsung Pass Authentication Framework on the device as well as the device-specific certificates in the Samsung Pass Cloud.

The opaque identifier stored in the Samsung Pass Cloud is encrypted and its contents are determined by the enterprise partner so it has no value outside a Samsung Pass verification operation.

The authentication token issued by Samsung Pass expires after a span of just a few minutes so it is not relevant to the reversion operation either.